Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
Not applicable

Qlik Sense Authentication - Java

I am trying to develop a Java application which uses the Engine APIs to get all the apps and related data.

So far I have found that Qlik Sense has only NTLM or Kerberos as built in authentication mechanisms and the server needs to be connected to an external authentication module which authenticates the users. Please let me know if I have got this wrong.

Also, I have read that Qlik Sense will accept users authenticated against other systems. And then using the Ticket API or the Session module or the Header mode to access the Sense system. How does Qlik Sense know whom to trust? How do I link an external authentication module to the server?

The following is the sequence that I want to implement: authenticate -> get all apps data (please suggest if I can achieve this using REST APIs exposed or if I need to use web sockets and engine apis) -> use this information in our platform.

It would be very helpful if somebody can post a sample authentication sequence using the QPS or any other service which can be implemented without using the .NET SDK. A small concrete example would be super helpful.

Lastly, is it possible to do a simple straightforward authentication using REST APIs and using other APIs. Is there any other way to get the Apps list? Please advice.

Thanks,

Nikhil

1 Solution

Accepted Solutions
Alexander_Thor
Employee
Employee

Yes, Qlik don't have users in that manner. We can do NTML or Kerberos as we ship a LDAP user connector out of the box so we can pass through authentication in that manner. For other types of authentication you would use the QPS API to either issue tickets to users or pass on a existing session into Qlik.

All of this is enabled through certificate trust. Qlik Sense generates certificates for it's services and you can export certificates from QMC. So if your service signs the requests with the certificates, we will trust you. We will also trust that you have authenticated your users when you request a ticket or pass on a session.

However since it sounded like you are going to be parsing a large number of apps in a short time frame you will be hit by the 5 session limit imposed on user authentication. Instead I would recommend you open a websocket channel directly to the engine wss://<server>:4747/app/<enginesession> and supply a X-Qlik-User header that specifies a service user. That will allow you to bypass the 5 session limit and if you sign your requests using the certificates there is no need to authenticate as we trust the signed requests.

This is a example in javascript of how to connect directly to the Engine using websockets

QES-NoProxy-Certs.js · GitHub

There are no REST endpoints available if you wish to interact with the application so you would use the Engine API to do that.

View solution in original post

13 Replies
Alexander_Thor
Employee
Employee

Yes, Qlik don't have users in that manner. We can do NTML or Kerberos as we ship a LDAP user connector out of the box so we can pass through authentication in that manner. For other types of authentication you would use the QPS API to either issue tickets to users or pass on a existing session into Qlik.

All of this is enabled through certificate trust. Qlik Sense generates certificates for it's services and you can export certificates from QMC. So if your service signs the requests with the certificates, we will trust you. We will also trust that you have authenticated your users when you request a ticket or pass on a session.

However since it sounded like you are going to be parsing a large number of apps in a short time frame you will be hit by the 5 session limit imposed on user authentication. Instead I would recommend you open a websocket channel directly to the engine wss://<server>:4747/app/<enginesession> and supply a X-Qlik-User header that specifies a service user. That will allow you to bypass the 5 session limit and if you sign your requests using the certificates there is no need to authenticate as we trust the signed requests.

This is a example in javascript of how to connect directly to the Engine using websockets

QES-NoProxy-Certs.js · GitHub

There are no REST endpoints available if you wish to interact with the application so you would use the Engine API to do that.

Alexander_Thor
Employee
Employee

Just as a follow-up, if you are just looking to access the raw data that resides in a Qlik app you can dump tables to CSV files during script reload execution using the STORE loadscript command.

That will most likely be faster then send potentially massive amounts of data over the socket and you don't have to burden your Qlik server with having to load all apps into memory.

If you are looking at leveraging Qlik's on-demand calculation and aggregation engine, then yes you would use the Engine API.

Not applicable
Author

For exporting the certificate, could you please let me know what the machine name should be? I mean, what should be used as the machine name?

Thanks,

Nikhil

Not applicable
Author

Its up to you, however, in our project we've specified the name as the application entry domain, but that pure preference.

jp_golay
Partner - Creator II
Partner - Creator II

Hi Alexander

Is it possible to authenticate using certificates and the .NET SDK

I see no way to include certificates in .NET Qlik Engine API?

Thanks JP

ebiexperts CTO
With WIP, Control everything!
Qlik Sense, QlikView and NPrinting Source control, Versioning and Deployment, Agile Lifecycle Management
Not applicable
Author

We have decided that using Engine API with certificates based authentication is the way to go. I am trying to implement this using java-websocket library.

Thanks,

Nikhil

Not applicable
Author

Hi Alexander,

I am trying to fetch the DocList from QES in C# as you explained.

Seems that the auth by certificate is working because my Response status is completed, but i'm getting 404 as http status.

I am attaching 2 sample test functions: Using HttpWebRequest and RestSharp. Both fail with the same message.

Do you have any idea about what I may be doing wrong?

EDIT: I have tried using websockets (websocket-sharp) but am still getting errors.

I have attached my test function and the stacktrace.

Any idea why the connection is failing? (seems to be the initial handshake)

Any clues where to look in the log files?

With thanks and regards,

Jessen

Not applicable
Author

Hi Nikhil,

Have you been able to connect and interact with QES in Java? I have tried in c# but I cannot get it to work...

Thanks.